Decision:

IF risks are low, THEN Never create a security architecture.
OTHERWISE IF large-scale information infrastructure changes are being made, THEN Create or update security architecture as part of enterprise information infrastructure design or redesign.
OTHERWISE IF the business moves over a size threshold (typically small to medium, medium to large, and at or around $1B), THEN Create or update security architecture based on changing operational modes.
OTHERWISE IF a security architecture is already in place, THEN Periodically revisit security architecture as technology and systems change.
OTHERWISE IF risks are high, THEN Continuously update security architecture.
OTHERWISE Create a security architecture,

Basis:

Never create a security architecture. A substantial amount of time and effort as well as other
resources are required to create a security architecture. Unless risks
justify getting systematic, the benefits don't warrant the costs.

Create or update security architecture as part of enterprise information infrastructure design or redesign. Whenever a major redesign is undertaken, it is an ideal time to
architect security along with the new infrastructure. This will help
to integrate protection issues into enterprise infrastructure design
and save time and money in retrofits and avoid unnecessarily weak
protection. Costs will be small compared to the costs of the rest
of the effort, and benefits will likely be large.

Create or update security architecture based on changing operational modes. As businesses change the manner in which they operate, which most
often happens when they pass particular thresholds of size, or when
they go public, it becomes important to re-evaluate issues related to
information protection to meet the substantial changes in the way
management and operations function.

Periodically revisit security architecture as technology and systems change. At least once a year, existing security architecture should be
reviewed for changes. In addition, for enterprises that are Defined or
higher maturity levels, enterprise inventory and risk control
processes should define work flows that cause architectural reviews
when risks associated with changes justify such a revisitation.

Continuously update security architecture. For high risk situations, security architecture should
be intimately tied to every element of design and operation, and minor
adaptations to each should be made in concert with each other over
time. However; these changes should be at the design level whenever
possible and architectural changes should only be made when justified,
even if the architecture is revisited often.

Create a security architecture. All other things being equal, if no security architecture is in
place, and if none of the other conditions hold, a security
architecture should be put in place.